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Abstract 

Decentralized Autonomous Organizations (DAOs) use smart contracts to foster communities 
working toward common goals. Existing definitions of decentralization, however—the ‘D’ in 
DAO—fall short of capturing key properties characteristic of diverse and equitable participation. 

We propose a new metric called Voting-Bloc Entropy (VBE, pronounced “vibe”) that for- 
malizes a broad notion of decentralization in voting on DAO proposals. VBE measures the 
similarity of participants’ utility functions across a set of proposals. We use VBE to prove a 
number of results about the decentralizing effects of vote delegation, proposal bundling, bribery, 
and quadratic voting. Our results lead to practical suggestions for enhancing DAO decentral- 
ization. 

One of our results highlights the risk of systemic bribery with increasing DAO decentraliza- 
tion. To show that this threat is realistic, we present the first practical realization of a Dark 
DAO, a proposed mechanism for privacy-preserving corruption of identity systems, including 
those used in DAO voting. Our Dark-DAO prototype uses trusted execution environments 
(TEEs) in the Oasis Sapphire blockchain for attacks on Ethereum DAOs. It demonstrates that 
Dark DAOs constitute a realistic future concern for DAO governance. 


1 Introduction 


A Decentralized Autonomous Organization (DAO) is an entity or community that operates based 
on rules encoded and executed on a public blockchain [22] [46]. As the name suggests, a DAO’s gov- 
ernance is decentralized, meaning that it does not rely on a single individual or highly concentrated 
authority—in contrast to, e.g., a corporation, where a CEO and board of directors make major 
decisions. Instead, decisions in a DAO are typically made through community votes on proposals. 
A DAO’s treasury, consisting of crypto assets, also generally resides in its smart contract. The 
contract enforces adherence to community decisions regarding use of its treasury and also offers 
operational transparency. 

DAOs can serve many goals, including investment (e.g., The DAO [48,164], Mantle Network [58}), 
grant distribution (e.g., MolochDAO [6], ResearchDAO [9]), gaming-guild organization (e.g., Av- 
ocadoDAO [2], GuildFi [5]) and—as is the case for DAOs with the largest treasuries—ecosystem 
governance (e.g., Uniswap [11], Lido [53], Arbitrum [15], Optimism Collective [8], MakerDAO [56}). 
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DAOs of all types are rising rapidly in popularity. At the time of writing (Nov. 2023), the 

aggregate value across all DAO treasuries exceeds $17 billion [3], almost double the amount just a 
year ago. 
DAOs today vary considerably in their true degree of decentralization. Most have their own 
(or “tokens”) and weigh voting power by token holdings. It is common 
for vote outcomes to be determined by a small set of “whales”—a colloquial term used to denote 
the largest token holders. Such centralization, as well as low voting participation, are a pervasive 
source of concern in DAO communities. Vulnerability to centralization has even led to plundering 
of DAO treasuries [57]. 

A number of works have sought to recommend ways to improve DAO decentralization. But 
first it’s necessary to be able to measure it in a way that is reflective of a broad set of real-world 
concerns. That requirement is the starting point for our work in this paper. 


1.1 Measuring DAO Decentralization 


A common basis for evaluating decentralization in DAOs and other blockchain settings is token 
ownership, specifically the distribution of assets and consequently voting rights among partici- 
pants [44]. Informally, concentration of a large fraction of tokens in a small number of hands— 
and thus the ability of a small group to determine voting outcomes—is indicative of strong central- 
ization. More widespread distribution, conversely, suggests decentralization. 

Entropy is one popular metric for measuring decentralization in the distribution of token own- 
ership in a Dao For a set of addresses A = {a1,...,an}, where address a; holds t; tokens and 
T= ia tj: 


Low entropy corresponds to a high degree of asset concentration and thus strong centralization. 
High entropy implies the opposite. Other popular decentralization metrics, e.g., the Gini coeffi- 
cient [41] and the Nakamoto coefficient [7] [74], are related to various notions of entropy. 

Token ownership distribution alone, however, has serious shortcomings as a decentralization 
metric. To begin with, it is visible on chain only in terms of per-address holdings, not control by 
real-world individuals. Thus, for instance, an individual who holds 51% of tokens in a DAO, but 
spreads them among a large number of addresses could create an appearance of decentralization 
while having majority control. 

Even if tokens are held by distinct entities, a notion put forward in, e.g., [50], those entities 
may have aligned interests and act in concert—a form of centralization. The following examples 
illustrate cases in which a DAO may be stpongly centralized, even if token ownership appears to 
imply strong decentralization. DN Mean rA 


Example 1 (Low participation en Lack of participation in DAO governance votes is 
widespread in practice and induces a form of centralization. Consider, for example, a DAO 
that requires a quorum of 50% participation for a vote to be ratified. Suppose 50% of voters do not 


“Entropy is typically defined over a random variable. A token ownership distribution may be viewed as a random 
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cast votes and voters other than whales vote 2:1 in favor of the proposal. Whales with just 12.6% 
of all tokens can swing the vote and cause the proposal to be rejected. 


Example 2 (Herding). Interviews with DAO participants have revealed a tendency to vote in 
alignment with influential community members to preserve reputation [72], as individual votes are 
today usually publicly observable. This effect—often called herding [17|—has a centralizing 
effect. It aligns votes around the choices of a small set of participants. (This problem is similar to 
the notion of “herding” in classical voting theory [45] [13].) 


Example 3 (Bribery / vote-buying). Bribery—specifically, vote-buying—has been a longstanding 
concern of DAO organizers [25]. It has a centralizing effect, as it aligns voters around a choice 
dictated by the briber. 


Recognizing that token-ownership alone doesn’t give a full picture of decentralization, re- 
searchers have explored broader notions. Most notably, Sharma et al. have considered entropy 
measures limited to those voters who participate in votes and have also explored graph-based rep- 
resentations of voting patterns (degree centralization, degree assortativity, etc.). Token-ownership 
distribution among voting participants fails to capture important issues, such as those in Examples Ø] 
and B| however, and it’s unclear how to interpret graph-based metrics. 

With no consensus in the community about how to measure DAO decentralization today, there 


is a lack of principled guidance on ways to improve DAO decentralization and to combat threats 


to decentralization, such as vote-buying. 


1.2 Voting-Bloc Entropy (VBE) 


We introduce a decentralization metric tailored to DAO governance called Voting-Bloc Entropy (VBE, 
pronounced “vibe”). VBE is based on a foundational principle, that 


in contrast to the notion of “credible neutrality” in 
voting, which is characterized by “positive ratings from people across a diverse range of perspec- 
tives” [21]. Expressed differently, the key idea in VBE is to define centralization as the existence of 
large voting blocs. 


Formally, we express this principle in terms of the utility functions of DAO participants, i.e., 
quantification of the gain or loss associated with voting outcomes. For a given set of elections, 
a voting bloc is a cluster of voters whose utility functions are similar over outcomes. Utility 
functions are latent variables—conceptually important, but not always directly measurable—and 


consequently VBE is as well [42]. 


VBE then, measures entropy over voting blocs based on utility functions—rather than over 


individual token holdings. The result is a broad concept that captures the centralization embodied 
in all of our examples above. VBE is in fact a framework: It allows 


and entropy to be plugged in. 
We stress that VBE is a theoretical metric: Tt cannot be measured directly, since users do 


not typically express (or often even know) their utility functions explicitly. But VBE provides an 


and does lend itself to indirect measurement. 


VBE Implications: We use VBE to prove a number of theoretical results showing how various 
practices tend to increase or decrease DAO decentralization. (We prove these results relative to 
particular notions of clustering and entropy.) 

Our main results are as follows: 


e Apathy / inactivity whale: A large population of apathetic, i.e., non-voting DAO partic- 
ipants, is a centralizing force (Theorem 2.3). 


e Delegation: Given an inactivity whale of large size relative to delegatees, delegation tends 
(perhaps counterintuitively) to increase decentralization (Theorem [3.4]. 


e Bribery: Bribery and decentralization are closely related in the context of DAO governance. 
The act of bribery decreases decentralization (Theorem B.7). Additionally, as the decentral- 
ization of a DAO rises, so does the risk of systemic bribery—and vice versa (Theorems 


and [3.9). 


We additionally prove results relating to herding and privacy (Theorem 3.5), quadratic voting 
(Theorem (3.10) and owning multiple accounts (Theorem [3.2). 

Looking ahead, our theorem statements and proofs are simple, and some just show how VBE 
confirms a known pattern (for example, that quadratic voting is susceptible to sybil attacks). 
However, our goal is to show the flexibility of VBE, and how, unlike prior metrics, it is able 
to capture the subtle impacts l ae mechanisms have on decentralization. Thus, the main 
contribution of VBE is to put forth a new way to think about DAO decentralization. That is, VBE 
introduces a paradigm shift, namely, 
of individual accounts—as 


1.3 Dark DAOs 
Our results on bribery and decentralization (Theorems [B7] and B.9) show that as decentraliza- 


This observation raises 
a critical followup question: Is large-scale bribery a realistic future threat to DAOs? 

One mechanism postulated for systemic DAO-voting bribery is a Dark DAO. A Dark DAO 
was originally defined as “a decentralized cartel that buys on-chain votes opaquely.” [83]. Here, 
“opaquely” means that participation in the Dark DAO is confidential. A Dark DAO must also 
ensure correct execution of a bribery scheme, i.e., bribees are paid if and only if they vote as 
directed. We define a Dark DAO more broadly as a DAO 
identity system. The goal may be to attack a voting scheme, but could be to attack another 
system, e.g., we also consider attacks against privacy pools [27], which are effectively DAOs to 
enhance cryptocurrency privacy. 

To date, the feasibility of a fully functional Dark DAO has yet to be demonstrated. In this 
work, we present a Dark DAO prototype to facilitate vote-buying in DAOs on Ethereum—the most 
popular blockchain for DAOs today. In its back end, it leverages the confidentiality enforced by 
trusted hardware (specifically Intel SGX) in the Oasis Sapphire blockchairl We also present a 
“Dark DAO Lite” prototype variant that offers greater ease of usability than our basic prototype, 
but at the cost of weaker confidentiality. 


“https ://github.com/oasisprotocol/sapphire-paratime 
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We underscore our belief that Dark DAOs do not pose a current threat, given the limited 
decentralization of DAOs today, and briefly review ethical considerations in this paper. Our work 
demonstrates that Dark DAOs are an eminently realistic future threat, however. We discuss possible 


Dark-DAO mitigations as a first step toward community development of countermeasures. 
Our techniques for Dark-DAO construction are of independent interest, as they point the way 
toward general techniques for the construction of new financial instruments. 


1.4 Contributions 


In summary, our contributions in this work are: 


e Voting-Bloc Entropy (VBE): We introduce VBE, a new metric for DAO decentralization 
that generalizes prior metrics and addresses a number of their shortcomings (Section B). 


e Theoretical results: Using VBE, we prove a range of results about how various DAO 
practices and design choices impact decentralization (Section B). 


e Dark DAOs: Our theoretical results highlight risks of systemic bribery in attacking DAOs— 
via Dark DAOs—against highly decentralized target DAOs. To show that these risks are a 
realistic long-term concern, we implement two end-to-end Dark DAO prototypes with different 
confidentiality / ease-of-use trade-offs (Sections[5]to[7). Our techniques are of general interest 
as they include innovations in the construction of decentralized-finance instruments. 


e Practical guidance: Based on our theoretical and experimental results, we present concrete 
points of practical guidance for DAO design and deployment around issues including delega- 
tion, voting privacy, voting-slate composition, decentralized identity, and more (Section [8). 
We summarize this guidance in Table [B] 


We review related work in Section [9] and conclude with some open research questions in Sec- 
tion 


2 Voting-Bloc Entropy (VBE) 


In this section, we define Voting-Bloc Entropy (VBE), which sidesteps the aforementioned limita- 
tions of prior metrics. It does so by 


Intuition. The key idea behind our definition is to reason about centralization with respect to the 
tokens held by groups of DAO members with aligned interests, instead of with respect to individual 
members. That is, instead of measuring the distribution of tokens across individual addresses, 
we focus instead on how tokens are distributed across blocs of voters with the same incentives, 
which are functionally acting as a single entity. Looking ahead, we formalize the notion of “aligned 
interests” by considering the DAO members’ utility functions across elections. 

Aggregating voters based on utility functions allows us to capture the rich interactions and 
relationships between players in the system, all of which play a role in understanding the true 
degree of decentralization of a DAO, as discussed in Section [L.I] Indeed, the limitations highlighted 
there are captured by considering voters with similar utility functions as a single entity; we discuss 
this extensively in Section 


DAO abstraction. We now introduce the notation and formalism that our definition and theo- 
rems rely on. 

Let P = {Pi,..., Po} be the set of token holders in a system, and tokens: P — R* a mapping 
specifying the number of tokens held by each P € P. (We will often overload this notation, and 
input a set of accounts to tokens instead, by which we mean the total tokens held across all accounts 
in the set). These token holders participate in a set of (binary) elections E = {e1,€2,..., €m}, 
where we denote by vot player P’s vote in election e; L indicates that 
P abstained from voting in e. We define to be the 
of an outcome of true or false in e to player P, where we make the simplifying assumption 
that utilp (e, true) = —utilp(e,false). Player P’s E is represented 
by a vector Upp := (utilp(e;, true))iefm) € R”; we denote by Ug,p all players’ utilities, i.e., 
Ur p = (Ug P)PeP. 

Token holders often have low stakes in the elections, resulting in lack of interest or abstaining 
from voting altogether. More formally, we say that player P is e-apathetic in election e if and only 
We denote this set of by A. If the system supports vote 
(for example, as a means to combat apathetic voters), players may delegate their tokens 
to others, who 


Lastly, we define bribep: E x {true, false} — R to be such that it is possible for player P 
E Note that we make t 


bribing a given P 
to flip its vote from true to false (respectively, false to true) costs ma utilp(e, true) + €, 0) 
(respectively, max(2- utilp(e, false) + €,0)), for some constant e. Successful bribery to achieve an 


outcome of true in e q of votes for true 


in e (and vice versa for false), i.e., ensuring 


>, (tokens(P) | votep(e) = true) >q: a tokens(P). 


PEP PEP 


For example, a typical value for q may be q = 0.5, which corresponds to an absolute majority. 
We stress that the equation above represents the threshold to ensure the desired outcome in an 
election, and not just to win it. Albeit related, these notions are not equivalent; the former implies 
the latter, but not vice-versa. In particular, 


2.1 Framework for VBE 
We present VBE in this section. To do so, we introduce an abstract framework that is parameterized 


by: (1) a clustering metric, and (2) which are the two key ingredients that 


underpin our definition. 


Clustering. We let C: Upp x Upp Sia be a clustering function that outputs 1 if the 
utilities of two players are “aligned” across all elections E, and 0 otherwise. Our definition of 


VBE is agnostic to a specific clustering algorithm, and instead only assumes that C specifies an 
equivalence relation ~c on the set P, such that P; ~e P; if and only if C(Ug,p,, Uz,p,) = 1. That 


is, C partitions P into classes of players with aligned utility functions across elections. Following 


standard notation, we denote the set of all classes by P/ ~c, and the class P belongs to by [P]. 


Entropy. We denote by F a function from the distribution of tokens across sets of accounts to 
real numbers. The purpose of F is to measure, in some sense, 

across voting blocs. Thus, in practice, F will generally consist of some notion of entropy!) such as 
one of the many variants of Rényi entropy, e.g., min-entropy, Shannon entropy, or max entropy. 
(Note that 
as defined in prior work [72].) We stress, however, that in principle F can be any function, 
and our definition makes no assumptions about its structure. As one example, given a clustering 
with single entities, we can use any distance metric d(-,-) on Ug,p and define F as the negative of the 
sum of squares distance between all pairs of player utilities, i.e., F = — > Pi PEP d(Uz,p,,Uz,p,)” 


We are now ready to define VBE. Intuitively, our definition says that a DAO is more decentralized 
according to F. More concretely: 


Definition 1 (Voting-Bloc Entropy). For a set of elections Æ, a set of players P with corresponding 
utilities Ug p, a mapping specifying the distribution of token ownership tokens, a clustering metric 
C, and an entropy functi 


2.2 Instantiatior 


There are various concrete algorithms with which one can instantiate our VBE framework. We 
propose one such example in this section, which we use throughout the rest of the paper. The 
advantages and disadvantages of this variant, and VBE in general, are discussed in Section [4] 


Clustering. We define e-threshold ordinal clustering (ce- TOC) as follows: 


1 ifWk€ [m], (sen(Uz,ri[Al) = sen(Ue,[h))) V (lU,p, [k] Urp; [All < €) 


C.(Un,p,, UE,P;) = 
0 otherwise 


More simply, «TOC clusters together token holders who have the same preferred outcome 
is. That is, clusters correspond to 
token holders whose utility functions are ordinally equivalent. Even though a more granular metric 
could create clusters based on cardinal utility, we regard ordinal equivalence to be indicative of 
aligned preferences. Further, as we discuss in Section Æ, «-TOC has the benefit of being computable 
whereas more complex clustering metrics may be more difficult (or 


impossible) to estimate. 


In addition to these blocs, e- TOC also creates an additional cluster corresponding to all apathetic 
voters A, i.e., those whose utilities are close to 0. These voters have aligned preferences, namely, 


little to no interest in election outcomes. 


3Entropy is formally defined over a random variable, but we are overloading notation to think of the mapping 


Entropy. In this work, we use min-entropy as our entropy notion. That is, for a set of sets of 
addresses A with a total of T tokens held across all individual accounts, 


max tokens(A’) 
Finin(A, tokens) := log, a) 


Our entropy notion thus measures the amount of “information” in the largest voting bloc by 
token holdings. As we discuss later on, more granular entropy notions result in more detailed 
analysis (at the cost of being more difficult to estimate in practice), as these may capture the 
information in other voting blocs beyond the largest. 


Putting the two together, we thus get a concrete instantiation o 


VBEc. min E, P, U , tok == Frin ~C., t z 
Ce minl E, P, Ug,p, tokens) (P/ ~co., to (P) ) 


(or 
any other variant of VBE) directly. However, as we show in the subsequent section, VBE can be 
used as a conceptual tool to reason about the high-level impact that changes in the system (such 
as the implementation of policy choices) have on the decentralization of a DAO. Namely, one can 
reason about the directional influence of said changes on the utility functions of the players, and 
thus derive conclusions about whether VBE broadly increased or decreased. 

Further, utility functions (and, thus, VBE) can be estimated via observable variables, which can 
be measured directly. In this case, one can explicitly compute VBE, and derive concrete metrics. 
(for the purposes of 


VBE) will depend, to a great extent, on the specific clustering algorithm that is used. We discuss 


this in more detail in Section [4] 


3 Implications of VBE: Theoretical Results 


We now present a variety of theoretical results implied by VBE. These results show how, unlike 
prior notions, VBE reflects many of the subtle issues that impact decentralization in a DAO— 
such as those described in Section and thus can serve as a springboard for more accurate 
understanding of the goals of a DAO. 

We first note that, for most “reasonable” instantiations of F (such as any Shannon or min- 
entropy), computing an analogous metric over account balances alone, instead of over voting blocs, 
gives an upper bound on VBE. (Note that the former includes the entropy-based metrics of prior 
work such as [72].) Concretely, this fact holds 

More formally: 


Lemma 1. Let Cso1o be the clustering metric that partitions P into singleton sets, i.e., 
Cso10(UE,p,, UE,P;) =1 < i= Js 


and let F be any function that is monotonically increasing with respect to tokens([P]) for every 
P eP. Then, for any clustering metric C, it follows that 


VBEc,,..,7(E, P, Up p, tokens) > VBEc F(E, P, Ug p, tokens). 


Proof. This simply follows from the fact that, for all players P, the number of tokens held by their 
bloc according to C is necessarily greater than or equal to the number of tokens held by their bloc 
according to Csolo: in the former, either P got grouped in a bloc with more players (and thus 
holds more total tokens), or she stayed alone in her bloc. As such, by definition, F will increase 
correspondingly. oO 


We stress that this lemma holds for most F of practical interest, such as Shannon entropy and 


min-entropy. As such, VBE is, at worst, equivalent to the entropy-based notions introduced by 
prior work, which focus on account balances. In the subsections that follow, we will show how, 


in fact, VBE reveals more information, as it is able to capture how decentralization is affected by 
various mechanisms, irrespective of (lack of) fluctuations in account balances. Towards this, we 
will first present the general recipe of our theorems, before moving on to concrete results. 

We note that, for clarity of presentation, our theorems focus exclusively on one instantiation 
of VBE, namely, using e-TOC and min-entropy as the clustering metric and entropy function, 
respectively. However, even though the theorem statements and proof details would differ for other 
variants of VBE, the conceptual takeaways are general (and, in fact, can be made more specific 
with more granular instantiations of VBE). 


3.1 VBE Master Theorem 


The theorems in the subsections that follow all aim to show the impact of policy choices or system 
changes on DAO decentralization, in terms of VBE. They all have a similar structure: 


consider two systems such that the only difference between them is some “transformation” of 
interest, e.g., a portion of the voters become apathetic, elections are instead private, etc; (2) we 
reason about the impact of this transformation on the largest voting bloc of both systems; (3) 
based on this, we compute and compare the VBE of both systems. 

We now define a “master” theorem for VBEc. min which captures this template, and thus serves 
as a proof framework that can be instantiated with concrete transformations of interest. Indeed, 
our theoretical results that follow are examples of this, as they all invoke this master theorem. 
(We note that the master theorem can be easily tweaked to accommodate different instantiations 
of VBE, but here we focus exclusively on e-TOC and min-entropy for clarity of presentation.) 

In all theorems that follow, we denote by E a set of binary elections, P a set of players that 
participate in such elections, tokens a mapping specifying the number of tokens owned by each 
player, and Ug,p the players’s utilities across the elections. The master theorem then proceeds as 
follows: 


Theorem 3.1 (Voting-Bloc Entropy Master Theorem). We define T to be a function that repre- 
sents i.e., a change in the players, elections, utilities of the players, and/or 
the distribution of tokens, which we denote by 
The total number of tokens in the system stays constant, however. Let B and B’ be the (not 
necessarily unique) according to (E,Ug,p,tokens) and 
(E’, Ug p, tokens’), respectively. Then, it follows that 


tokens'(B’) > tokens(B) <> VBEc, min(E,P, Ug,p, tokens) > VBEc, min(E’, P’, Up p, tokens’). 


Proof. This follows directly from the definition of VBEc, min: 


tokens’ (B’) > tokens(B) 
tokens’ (B’) ” tokens(B) 


$ tokens'(P) ~ X` tokens(P) 
Pep’ PEP 
tokens’ (B’) tokens(B) 
oak = ee —] Al as 
log, ( > T. aTe 2 5 ee) 


PEP’ PEP 
<=> VBEc, min(E’, P', Up p tokens’) < VBEc,,min( E, P, Ug,p, tokens) 


O 


Note that, if B’ represents a (new) majority by token holdings, then VBE strictly increases; 


equality follows when tokens’ (B’) = tokens(B). 

This master theorem thus serves as a template that individual theorems can bootstrap off 
of: simply specify a transformation T, explain how this modifies the largest voting bloc (if at 
all), and invoke Theorem Armed with this formula, we now move on to concrete theoretical 
insights implied by VBE. Our theorem statements and proofs are simple, and often just show how 
VBE confirms a known pattern (for example, that quadratic voting is susceptible to sybil attacks). 
However, our goal is to show the flexibility of (a limited instantiation of) VBE, and how, unlike prior 
metrics, it is able to capture the subtle impacts the certain mechanisms have on decentralization. 


3.2 Owning Multiple Accounts 


As explained in Section [1| previous notions of entropy fail to capture the centralization that is 
present (but hidden) / addresses. In such 
cases, it may appear that tokens are well diversified across accounts, while a large fraction are in 
fact under the control of one entity. Unlike prior notions, VBE captures this nuance, since these 
accounts would 


We formalize this below. 


Theorem 3.2 (Sybil Attacks and VBE). Let (P’, E, Uh p, tokens’ uit (P, E, Ug p, tokens) be 
the transformation where i.e., 


P! = PUP, tokens’/(P) = tokens(P), and YÊ € P, Us, p = Usn,p. The rest of the system remains 
unchanged. Then, it follows that 


VBEc, min(E, P, Ug p, tok C.min(E,P’, Upp py, tokens’). 


Proof. Let B be the largest voting bloc by token holdings before Tmıt, which may or may not 
include P. By assumption, all P € P are such that U r p= Up, p. Thus, all new accounts will be 
in the same voting bloc B’ after Twit, namely, B’ = [P]. i 
It follows then that, even though P’s tokens are distributed between all individual accounts in P, 
they are in fact still under the control of the same block, i.e., B’. As such, tokens’(B’) = tokens(B’). 
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So, since no blocs acquire any new tokens, B is still the largest voting bloc by token holdings after 


Trait. Then, from Theorem B.1] it follows that 
VBEc, min(E, P, Ug,p, tokens) = VBEc, min(E, P, Upp, tokens) 
as desired. oO 


This result shows that, according to VBE, the “true” decentralization of the system does not 
change when a whale splits her tokens into multiple accounts, 


as they are all still under the control of 
the same voting entity. Conversely, metrics that focus on account balances alone would mistakenly 
conclude that the decentralization of the system strictly increased, since a set of tokens is diversified 
across more accounts. 


3.3 Apathy 


A system where voters are apathetic, i.e., not interested in the direction of the community, is not 


aligned with the goals of a DAO: distribution of tokens is irrelevant if individuals abstain from 
voting, as elections are narrowed squarely to the set of more invested stakeholders. Our definition 
captures this fact. Intuitively, apathetic voters all have similar utility functions, which reflect their 
lack of stake in the elections. VBE groups all of these players within the same voting bloc, due to 
their aligned utilities. (Recall that we use A to denote this set of apathetic voters.) 


w, if the disinterested players are small stakeholders to begin with, apathy 
SAS EA Indeed, in practice, 
it is common for the set of apathetic voters to represent a majority of token holdings [44]. We 
note, however, that interestingly 


Theorem 3.3 (Apathy and VBE). Let (E, Up p, tokens) =e (?,, E, Upp, tokens) be the trans- 


formation where players P C P become e-apathetic, i.e., VP € P Ve € E, |util’>(e, true)| < e. The 
rest of the system remains unchanged. Then, if VP € P, tokens(A) > tokens([P}), it follows that 


VBEc. min(E, P, Un,p, tokens) > VBE, min(E, P, Ug p, tokens). 


Proof. Let B be the largest voting bloc by token holdings before Tapatn. We first note that all 
apathetic voters belong to the same voting bloc B’, according to e-TOC: by the definition of e- 
apathetic, it follows that, for all P;,P; € P and e € E, 


|utilp, (e, true)|, lutil'p, (e, true)| <e, 


which corresponds precisely to the bloc of apathetic voters in e-TOC, containing all players 
in A. Then, by assumption, tokens(B’) = tokens(A) > tokens([P]), VP € P. So, since no other 
blocs decrease in size, it follows that tokens(B’) > tokens(B): either the bloc that aggregates all 
apathetic voters is now the largest bloc, or the same bloc is the largest in both instances. Thus, 
from Theorem [3.1] it follows that 


VBEc, min(E, P, Ug,p, tokens) > VBEc, min(E, P, Up p, tokens) 


as desired. oO 
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This result shows that VBE captures the intuition that large-scale apathy, which is common in 


practice, has a centralizing effect. We refer to the bloc of apathetic voters in a DAO, i.e., non-voting 
token holders, as the inactivity whale. This term reflects the collective and potentially systemically 


important inactive behavior of this group. 


3.4 Delegation 


Intuition would suggest that delegation leads to a more centralized system: tokens that were 
originally held by a large set of players, are instead under the control of the (smaller) set of 
delegates. As we prove formally below, however, VBE shows how this situation is more nuanced, as 


held by a single voting bloc, namely, the inactivity whale. Delegation then diversifies the tokens 


held by this “whale”, and distributes them amongst a set of voting blocs (the delegates). 


"that the size of the inactivity whale is larger than each delegate’s total tokens—which tends to be 
true in practice [31] 44]—the system is now more decentralized. 


Theorem 3.4 (Delegation and VBE). Let (E, Uf p, tokens’) = Tgereg(P, E, Upp, tokens) be the 
transformation where players A i 

delegates D C P, i.e., tokens’ (D) = tokens(P) and tokens’ (P) = 0. The rest of the system remains 
unchanged. Then, if Yd € D, tokens( A) > tokens’({d]), it follows that, 


VBEc, min(E, P, Uh p, tokens’) > VBEc, min(E, P, Up,p, tokens). 


Proof. Let B by the largest voting bloc by token holdings before Tye1eg. As discussed in the proof 
of Theorem[.3] all players in Ê belong to the same voting bloc for all elections in E—the inactivity 
whale—since they are all part of the set of apathetic voters A. Let B’ be the largest voting bloc 
by token holdings after Tye1eg; note that it may be the case that B' = |d] for some d € D. 

We first note that B’ is equal to either (1) B itself, (2) the second largest voting bloc after B 
before delegation, or (3) [d], for some d € D. That is, since the only blocs that change after Taeleg 
are all the [d] and the inactivity whale (which lost tokens(P) tokens), it must the be case that the 
new largest voting bloc is either the same one as before delegation, the second largest voting bloc 
before delegation (i.e., B was the inactivity whale, which got fractionated by delegation), or one of 
the [d] which increased in size. 

For (1) and (2), it is clearly the case that tokens(B) > tokens’(B’). Then, for (3), note that, by 
assumption, tokens(A) > tokens’([d]), for all d € D. So, tokens(B) > tokens(A) ==> tokens(B) > 
tokens’ ([d]) = tokens’(B’). 

It follows then that, in all cases, tokens(B) > tokens’(B’). Thus, from Theorem[.1] we get that 


VBEc.,min(E, P, Uh p, tokens’) > VBE. min(E, P, Upp, tokens) 
as desired. oO 


The intuition behind this result is that, as long as the delegates are not “too big”, delegation 
actually has a decentralizing effect. Conversely, if some delegate is a whale, or gets delegated an 
overwhelming majority of tokens, then the system may become more centralized. ae 


is most useful in cases where apathy is high. This idea is captured by the following 
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Corollary 1. If, in Theorem [3.4] there exists some delegate d € D such that tokens’((d]) > 
tokens(P), then VBEc. min(E, P, Up p, tokens’) ) < VBEc,, min( E, P, Ug p, tokens). 


In practice, it is common for delegates to be small relative to the inactivity whale [31], but this, 


of course, need not always be true. 


3.5 Herding 


A core goal of DAOs—and any democratic system more broadly—is for token holders to vote 
according to their true preferences. In practice, however, many DAOs fail to meet this goal and 
instead exhibit herding behavior. Specifically, when votes are publicly observable, social dynamics 
lead to the formation of “coalitions” of voters. For example, token holders have reported feeling 
influenced to vote a certain way, often in alignment with influential community members, in order 

[72]. Similarly, it has 
been observed and measured that token holders often vote in alignment with their peers [63], who 
now operate as a single, large entity. In both cases, the monetary utility derived from the social 
impact of a player’s vote skews the monetary utility of her desired outcome in a vacuum. 

Herding leads to more centralization, as votes artificially converge on one outcome. Token 
distribution alone, however, does not show this. Indeed, a system where tokens are distributed 
evenly, but all players vote for the same outcome due to herding, would be deemed optimally 
decentralized according to such metrics. Conversely, VBE does conclude that reputational risks 


lead to more centralization, as it aligns the utilities of the players towards the socially preferred 


outcome. 


Theorem 3.5 (Herding and VBE). Let (E, Up p, tokens) = Thera(P, E, Up.p, tokens) be the trans- 
formation where players P C P exhibit herding toward, without loss of generality, true. That is, 


to max(2 - utilp(e, false]) + €,0) for some constant e. The rest of the system remains unchanged. 


Then, it follows that 


VBEc. min(E, P, Un,p, tokens) > VBEc, min( E, P, Ug p, tokens). 


Proof. Let B be the largest voting bloc by token holdings before Thera. Note that, after Thera, all 
voters in P belong to the same voting bloc B’: for every P € P, Ur p Will consist of only positive 
values: either P preferred an outcome of true in e to begin with, or their monetary utility of true 
is now |utilp(e, false)| +e. Thus, since sgn(utilp(e, true)) = 1 for all e € E, all of Ê consists of a 
single voting bloc B’ according to e-TOC. 

It follows then that tokens(B’) > tokens(B), as either the “new” voting bloc B’ is now the 
largest bloc, or the same bloc is the largest before and after Tmirr. Then, from Theorem [3.1] it 
follows that 

VBEc, min( E, P, Un,p, tokens) > VBE. min(E, P, Ug p, tokens) 


as desired. oO 


An important conclusion of this theorem is that privacy instead increases the decentralization 
of a system, as it serves as a “mitigation” to herding. That is, if votes are private, token holders can 


vote for their true preferences, instead of being influenced by, e.g., social optics or the votes of their 
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peers. (We omit a formal proof of this corollary, as it follows directly via a proof by contradiction 
of Theorem [3.5)). 


3.6 Voting slates 


d “vot- 
ing slates” —is in opposition with decentralization: decision-making is more diluted, thus decreasing 
the relative impact of each voter in the underlying proposals. That is, voting slates “factor out” 

For example, two 
players may disagree in many of the individual proposals, but agree on a few of the more important 
ones, resulting in them casting the same overall vote. 

We model a player’s utility for a slate of elections simply by adding the utilities of the underlying 
proposals. That is, for all P € P and some election E comprised of some subset of elections of E, 
the utility of P in € is: 


utilp(E, true) = Ss" utilp(e, true). 
ecE 


popular proposals, and thus increase their chances of Passing. We model this by saying that if 


le:s 


C.(Uz,p,,UE,p;) =1 => sgn()> utilp, (e, true)) = sen(S> utilp, (e, true)) 
ecE ecE 


As we show below, VBE reflects the fact that bundling proposals indeed decreased decentraliza- 


ion: by considering a narrower set of elections, which smoothens utility functions, different voting 
s are combined to form larger ones. 


Theorem 3.6 (Voting Slates and VBE). Let (E', Ury p, tokens) = E, Upp, tokens) be 


the transformation where all elections Æ are bundled together into slates to form a smaller set of 


elections E’. The rest of the system remains unchanged. Then, it follows that 
VBEc, min(E, P, Up,p, tokens) > VBE, min(E’, P, Ufy p, tokens). (1) 


Proof. Let B be the largest voting bloc by token holdings before Tyiates. Then, note that all players 
in B are still in the same voting bloc B’ after Tyiates: since C.(Uz,p,, Up,p;) = 1 for every pair of 
players in B, by assumption, it follows that 


VE EE’, sen(S> utilp, (e, true)) = sen() > utilp, (e, true)). 
ecE ec€ 


Conversely, players who did not belong to B may, in fact, join B’ after Tsiates: even if the 
players disagree in some of the underlying proposals for a particular slate €, they may cast the 
same overall vote for the entire slate. As such, B’ contains strictly more players than B, which 
implies that tokens(B’) > tokens(B). Then, from Theorem [B.I] it follows that 


VBEc.,.min(E, P, Ug,p, tokens) > VBEc, min(E", P, Ur p, tokens) 


as desired. 
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3.7 Bribery 


There is an intuitive relationship between decentralization and bribery, namely, that successful 


ribery poses a threat to decentralization: in such a case, the entity that acquires the votes of the 
However, traditional 


decentralization metrics, i.e., based on token distribution across accounts, fail to capture this fact: 
bribed voters, albeit casting votes as instructed by the briber, still technically hold their tokens. 


Conversely, VBE groups all bribed voters in the briber’s bloc, as all bribee’s now have aligned utility 
functions, in line with the bribers desired outcome. 

We note that, interestingly, similar to our result from Section [8.3] Eee eee 
@eaBeqlenes of leading to a more decendMalized system, in the case where it Regments 6 laiger bloc 
(say, the inactivity whale, or some large coalition of voters). However, we ignore this edge case 
and assume instead that the bloc of bribed voters represents a majority by token holdings. 


(In 
particular, for the inactivity whale, it would be rational for all apathetic voters to accept a bribe, 
in which case the entire inactivity whale is absorbed.) As such, even though bribery need not, 
unconditionally, increase centralization, it poses a practical threat to decentralization. 


Theorem 3.7 (Bribery and VBE). Let (E, Upp p, tokens) = Torive(P, E, Ug,p, tokens) be the trans- 


formation where an entity successfully bribes players Ê C P in elections Æ to achieve an outcome 


of, without loss of generality, true. The rest of the system remains unchanged. Then, it follows 
that 


>? 
VBEc. min( E, P, Ug p, tokens) VEE Cc, min E, P, Upp: tokens). (2) 


Proof. Let B be the largest voting bloc by token holdings before Teribe. First, note that, after 
Tribe, all voters in P belong to the same voting bloc B’. Recall that, in our DAO abstraction, 
bribing a player P to flip its vote in election e from false to true costs max(2-utilp(e, false)+e, 0). 
So, for every P € P and e € E, either utilp(e, true) was already positive to begin with, or it is now 
|utilp(e, false)| + e. Then, since sgn(utilp(e,true)) = 1 for all e € E, all of Ê consists of a single 
voting bloc B’ according to e-TOC. 

It follows then that tokens(B’) > tokens(B), as either the “new” voting bloc B’ is now the 
largest bloc, or the same bloc is the largest before and after Tpripe. Then, from Theorem [3.1] it 
follows that 

VBEc, min(E, P, Ug,p, tokens) > VBEc, min(E, P, Upp, tokens) 


as desired. oO 


Scale of bribery and decentralization. A second, more nuanced observation is that successful 

Le., 
highly decentralized. Intuitively, if a DAO is highly centralized, a briber can directly coordinate 
with a few large players to guarantee an election outcome; or, if the briber is a whale herself, she 
only needs to bribe a few of the smaller players to accumulate enough tokens to mount a successful 
attack. Instead, in a more decentralized system, players are smaller, so a briber needs to widen 
the scale of their attack if they want to win an election. That is, in this case, successful bribery 
requires large-scale coordination among various smallholders. 
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Theorem 3.8 (Internal Bribery and VBE). Let (E, Up p, tokens) = Torive(P, E, Ug,p, tokens) be 
the transformation where Upp is some arbitrary change in the utilities of the players. The rest of 
the system remains unchanged. Assume that an entity in P needs to bribe other players holding a 
total of at least nı and nə tokens to guarantee an outcome of true in elections E before and after 
Toripe, respectively. Then, it follows that 


nı > n2 <> VBEc, minl E, P, Upp, tokens) < VBEc, min(E,P, Ug,p, tokens). (3) 


Proof. We first make the trivial observation that the minimum number of tokens that must be 
bought to guarantee an election outcome occurs when the bribing entity belongs to the largest 
voting bloc by token holdings. Let Bı and Bə be such blocs before and after Tpripe, respectively. 
By Theorem [3.1] we get that 


tokens(Bz) > tokens(B,) <> VBEc..min(E,P, Up p, tokens) < VBEo, min(E, P, Ug,p, tokens). 
Then, note that, for i € {1,2}, 


lg =q- D tokens(P) — tokens(B;) 
PEP 


It thus follows that nı > na <=> tokens(B2) > tokens( B1), i.e., 
ni >n 4> VBEc,,min( E, P, Ug p, tokens) < VBEc. minl E, P, Ug, p, tokens) 


as desired. 
o 


The theorem above shows how, as a DAO becomes more decentralized, a higher number of 
tokens need to be corrupted to guarantee an election outcome, since all players are small to begin 


with. Conversely, in a more centralized DAO, large whales only need to corrupt a few tokens to 
guarantee their desired election outcome. 

This result sheds light on the scale of bribery in the case where the briber is a malicious 
tokenholder a priori. Conversely, the briber may instead be some external entity. In this case, 
decentralization also raises the risk of systemic bribery: if there are large players in the system, the 
briber can directly coordinate with whales to achieve their desired election outcome. If, however, 
the DAO is highly decentralized, the outcome of the election depends on many stakeholders, which 
thus requires large-scale coordination among these. More formally: 


Theorem 3.9 (External Bribery and VBE). Let (E, Up p; tokens) = Thrive(P, E, Ug p, tokens) be 
the transformation where U EP is some arbitrary change in the utilities of the players. The rest of 
the system remains unchanged. Let nı and n2 be the minimum number of players that an external 
entity needs to corrupt to guarantee an outcome of true in elections E before and after Thripe, 
respectively. Then, it follows that 


nı > n2 4> VBEc, min(E, P, Upp, tokens) < VBEc, min(E, P, Ug,p, tokens). (4) 


Proof. This proof is very similar to that of Theorem B.8] Let Bı and B be the largest blocs by 
token holdings before and after Tbripe, respectively. By Theorem[.1| we get that 


tokens(B) > tokens(B,) <> VBEc. min(E,P, Ug, p, tokens) < VBEc, min(E,P, Ug,p, tokens). 


Then, note that, for i € {1,2}: 


q: >. tokens(P) 
PEP 


tokens(B;) 
It thus follows that nı > ng <=> tokens(B2) > tokens( B1), i.e., 


ni = 


nı > n2 <=> VBEc, minl E, P, Ug p, tokens) < VBEc, min(E, P, Ug,p, tokens) 


as desired. 
| 


We make the important note that, to acquire a fixed number of target tokens (i.e., in the case 
where the briber is an external actor), 


bribing a smaller set of whales to acquire the same number of tokens. a tx 
more “pivotal” [80], i.e., have a greater influence on election outcomes, and thus 

to bribe. As such, decentralization decreases the cost to mount a bribery attack on a DAO. We 
discuss this in detail in Section [5.3). 

Systemic bribery has long been recognized as one of the main threats to traditional elections, 
and we have now shown that this is also the case for DAOs. However, bribery is not considered a 
realistic concern in secret ballot elections, due to the fact that such large scale vote buying would 
be logistically and economically infeasible to coordinate, and would be traceable. Further, rational 
vote sellers would simply take the bribe but still vote according to their preferences, instead of 
following the briber’s demands. Looking ahead, we will show in Section [5] that, conversely, bribery 

Thus, 


bribery is a realistic and practical threat for DAO elections. 


3.8 Quadratic Voting 


Quadratic voting is a voting mechanism that attempts to dilute the influence of whales on 
election outcomes. To do so, a vote from a player that owns n tokens will only have an impact 
of y/n in the outcome election. At face value, quadratic voting seems to make a system more 


decentralized: the quadratic “tax” is directly proportional to the number of tokens a player owns, 
which thus shrinks the gap between ers and whales. However, quadratic voting is known 


to be [68], and thus may 


have a centralizing effect: 


As a concrete 
example, consider a quadratic voting system with no verification of real-world identities. In this 
case, a whale can divide her tokens amongst multiple accounts, which increases the impact that 
her votes have on the election outcome. (In fact, as we show in Section 5.3] 


Traditional DAO decentralization metrics fail to capture this attack on quadratic voting, since 
they do not reason about the relationship between the individual accounts. Conversely, VBE would 
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group together all the accounts under the control of the same entity as part of the same voting 
bloc, and thus concluding that decentralization has decreased. This is analogous to our result 
from Theorem which shows that, in general, splitting tokens across multiple accounts does 
not increases decentralization. 


“election outcome. 


Quadratic voting and bribery. Similar to a whale splitting off her tokens into multiple ac- 
counts, a set of colluding players can have a greater impact in the election outcome if quadratic 
voting is employed. Namely, quadratic voting may have the surprising consequence of decreasing 


the cost of bribery. The high-level idea is that quadratic voting “amplifies” the power of small 
accounts, which may be cheaper to bribe. Thus, for the same cost, a briber is able to have a greater 


impact on the outcome of an election. 

Prior work has informally identified these issues in the context of traditional elections [68], 
and DAOs specifically [32]. For the former, as discussed at the end of Section large-scale 
collusion is not considered a realistic threat, and thus the fact that bribery can have a bigger 
impact on an election outcome if quadratic voting is employed is not seen as a practical limitation. 
However, since our Dark DAO prototype from Section B]makes bribery inexpensive and guarantees 
fair exchange, bribery poses a realistic threat to quadratic voting (and any blockchain-based voting 
scheme for that matter). 

Our formalism captures this relationship between quadratic voting and bribery. We define 
“small” accounts to be, concretely, 
voting in place, and thus have their impact amplified. More formally, we denote that a player P € P 
benefits from quadratic voting by quad(P, tokens) = 1, where 


tokens(P) tokens(P L 
uad(P,tokens) = 1 4> ————— ERT 
q ( ) 5 tokens(p > 4 /tokens(p 
peP pEP 


The relationship between quadratic voting and bribery hinges on whether the cost to brib 


Whether quadratic voting changes a player’s utility or not will vary across systems. Broadly 


speaking, 


not change their utilities. As such, the nature of a community must be taken into account when 
deciding to use quadratic voting. 


Theorem 3.10 (Quadratic Voting and Bribery). Let (E', Ug p, tokens) = Tguaa (P, E, Ug p, tokens) 
be We denote the election 


corresponding to e € E by e’ € F’. Let f and f' be the fraction of total votes that a bribing entity 


Then, it follows 
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that 


f< f 4 IP CP | YP E€ P, (quad(P, tokens) = 1 A^ Upg, p = Um,p) 


Proof. Recall from Section P] that the cost of bribing all players in Ê to vote for, without loss of 
generality, false in all elections E is 


t= `> >. max(2 - utilp(e, false) + €, 0) 


pEP eck’ 


Since, by assumption, VP € P Ve € E, utilp(e, false) = utilp(e’,false), it follows that the 


is also t. Then, since all players in Ê benefit 


by definition, for all P € P, 


tokens(P L tokens( P) 
>> tokens(p ass S \/tokens(p) 
peP pEP 


tokens( tokens(P) 
= Geen) z) < D ae Jeng) 
PEP peP PEP yep 


= fay 
as desired. oO 


This result thus shows that quadratic voting may be favorable for a bribing entity. In particular, 
bribery decreases: 


Corollary 2. Assume that, for Ê as defined in Theorem BIO, tokens(P) > q- > pep tokens(P). 
Let t and t” be the expenditure required to guarantee an outcome of true in elections E and F’, 
respectively. Then, it follows that t < t. 


This corollary simply follows from the fact that, as proved in Theorem [3.10] the expenditure t’ 
required to control a fraction of q votes in F’, and thus guarantee successful bribery in F’, would 
only be enough to acquire a fraction of q — € votes in Æ. As such, some additional expenditure is 
required to cross the threshold of q votes. 


4 Practical Considerations of VBE 


Since VBE is a theoretical metric, it serves ener! as a conceptual tool to reason about how 


t W . In this 
section, we dins some dieco towards this, and the limitations gË iii approach (ena our 
model more broadly). We note, however, that an empirical study of DAOs, such as concretely 
computing VBE for popular DAOs based on on-chain data, is left as future work. 


19 


Limitations of our formal model. Our DAO abstraction from Section] which underpins VBE, 
makes several assumptions, which need not be true in practice. For example, we only consider 
binary elections, whereas DAO proposals can involve multiple options, e.g., Optimism’s process 
for (retroactively) funding public goods, where votes explicitly expressed the allocation of funds 
to different organizations [67]. We note, however, that our model can be reframed to consider 
arbitrary elections, as this would simply involve using a clustering metric for VBE that takes into 
account multiple potential election outcomes when partitioning P. 

A more important limitation is the fact that we assume token holdings remain constant across 
elections. For simplicity and clarity of presentation, we deem this to be sufficient due to the 
conceptual nature of our theoretical results. Further, our model can be modified to assume variable 
token holdings. For example, tokens(P) can be defined to be the maximum number of tokens held 
by P at any point across all elections Æ. We leave such extensions as future work. 


Measuring VBE. As we have emphasized throughout this work, VBE is a theoretical notion and 
cannot be measured directly. This is due to the fact that utility functions are latent variables ZAR 
which are not directly measurable. This is an inherent limitation of any metric that depends on 
utility functions, including important results and models from voting theory, e.g., [35]. 

Due to this limitation, VBE is most useful as a theoretical tool to estimate the directional impact 
of policy choices in decentralization. However, VBE does lend itself to indirect measurement: latent 
variables, such as utility functions, can be estimated via observable variables, which are indeed 
measurable. In our context, (such as past 
voting history), low-cost straw polls, social dynamics, etc. 

The accuracy 


of estimating VBE via observable variables will depend, to a large extent, on 


the specific clustering algorithm with which VBE is instantiated, 
is required from the utility funtions in order to partition P. For example, a trivial partition of 
C(Up,p,,Un,p,) = 1 => Upp, = Uz,p, will yield a less accurate estimate than some other 
function which only takes into account the voting history of the players. 

Practitioners can thus use VBE to derive concrete metrics, and analyze the real-world behavior 
of a system, by initialig&o\ framework with a particular clustering metric and entropy function, 


i o estimate utility functions of players. 
In general, 


more granular notions of VBE are, of course, more informative. For example, Shannon entropy 


However, such functions may require 
data that is not easy to gather, As such, there is a trade-off 


between how informative VBE is, and how easy it is to compute. 

In the particular case of VBE, min, for example, historical voting data is sufficient for e-TOC, 
since clusters are assigned based on ordinal utility. If we assume voters are rational, we can 
extrapolate this from the casted votes: for any player P and election e, it follows that 


votep(e) = true <= utilp(e, true) > € 
votep(e) = false <=> utilp(e,false) >€ 
votep(e) = L <=> |utilp(e, true)| < e. 
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Even though we cannot extrapolate the exact value of utilp(e, true) based on election outcomes, 
the equations above are sufficient to use Ce to cluster players. We stress, however, that different 
instantiations of the VBE framework may require different measurement techniques. 


Another natural limitation of VBE is that, given that it is a framework, two instances of VBE 


variant of VBE must be used. In practice, however, we expect that broad VBE adoption would 
involve a handful of standard parameters agreed upon by the DAO community. 


Limitations of VBEc,. min. In addition to the general limitations described above, each variant 
of VBE may pose additional constraints. In the case of VBE, min, we lose most of the information. 
provided by all voting blocs except the largest one, since min-entropy is only a function of the latter. 
This does not imply that the analysis is not accurate, as all subsequent blocs are strictly smaller 
than the one our definition focuses on, but rather that other entropy notions may yield additional 
insights; indeed, min-entropy is always less than or equal to Shannon entropy and max-entropy : 
Our clustering metric, «-TOC, is also quite strict, as it 
could instead consider, for example, a generalization e- 
threshold ordinal clustering that is parametrized by the fraction of elections two players must agree 
on to be considered part of the same cluster. We opted for the simpler variant in this work, as it 
serves as a proof-of-concept for our theoretical results; more general clustering metrics would yield 
the same conceptual conclusions, while making the theorem statements and proofs more opaque 
with orthogonal mathematical details. 


Data Collection. Even though blockchain-based elections are public, extrapolating relevant ob- 
servable data for analyzing VBE (and other decentralization metrics) is surprisingly difficult. Indeed, 

rior work has also pointed out, 
[39]. To aid the analysis and computation of VBE, we thus 


We propose that DAOs choose and specify a variant of VBE to support, which then guides 
how to present voter data. For e-TOC, DAOs can keep a log mapping all token holders to a 
list of the elections they were eligible for, denoting their vote (if any). Other variants of VBE 
may require more detailed information. Feichtinger et al. successfully extrapolated a vast 
amount of governance-related data from 21 DAOs along multiple axes (albeit noting that it was 
surprisingly challenging), and open-sourced their data set in the form of “subgraphs” from The 
Graph protocol [4]. Their work may serve as inspiration for user-friendly ways to present voter 
data: 


5 Dark DAOs: Overview 


A Dark DAO is itself a DAO, but one whose objective is to subvert a system of decentralized 
credentials and thereby to target, e.g., voting in another DAO or DAOs. Dark DAOs were first 
as decentralization increases, 


introduced in a 2018 blog post [33]. We have shown in Section 3] that 


the cost of a bribery attack rises. Consequently, the need arises for a briber to perform broad 
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coordination, as there is a need to target more users. Thus the threat of Dark DAO deployment 


increases. 

In this section, we briefly explain what Dark DAOs are, giving an informal definition in Sec- 
tion [5.1] We outline their main design principle, key encumbrance, in Section [5.2] We explain the 
various ways in which they can disrupt votes in target DAO Section 


5.1 Dark DAO Definition 


A Dark DAO is defined specifically in as a “decentralized cartel that buys on-chain votes 
opaquely.” We believe that a broader definition is more informative—one that encompasses any 


corruption of any system of credentials, whether used for voting or other purposes. Like an ordinary 
DAO, a Dark DAO it i.e., 


Additionally, a Dark DAO is “opaque” in the sense of ensuring that participation is private. 


Informally, then, a Dark DAO has the following three key properties: 


1. Opacity: Participants in a Dark DAO are indistinguishable on chain from other credential 


(Consequently, statistics like the number of participants in a Dark DAO are also 


hidden.) 


2. Fair exchange: Once a bribee commits to accepting a briber’s offered bribe, the briber 
obtains access to the bribee’s credential and the bribee is paid the bribe. 


3. Bounded scope: A bribee who participates in a Dark DAO contributes no resource to the 
Dark DAO beyond a committed credential and pre-agreed-upon costs. (E.g., the bribee may 


also pay normal transaction fees.) 


Example (voting): A Dark DAO that aims to corrupt voting in a target DAO would involve 
voters (bribees) selling their votes to a vote buyer (briber). Opacity would mean that bribees are 
indistinguishable from other voters in the target DAO. Fair exchange would mean that the briber 
pays a pre-agreed-upon amount to a bribee iff the bribee’s vote is cast as the briber prescribes in a 
particular election. Finally, bounded scope means in this context that the bribee can use her voting 
credential in an unrestricted way outside of the election in question. 


Remark: Fair exchange requires not just that a briber gain access to a user’s credential, but 
that the credential be usable in a pre-agreed upon way. For example, if the briber gains access 


to the bribee’s credential, and the bribee is paid, but bribee can revoke the credential before use 
by the briber, then the exchange is not fair. To capture such subtleties, a more formal definition 
of fair exchange may be couched in terms of a universe of possible target-system states S and a 
transcript T = {S1,S2,...} for S; € S of state transitions. Fair exchange means that for S and a 
set of transcripts 7—both agreed upon by the briber and bribee—T € 7 for the transcript T of 
the target system’s history. We defer the development of such formalism to future work. 


5.2 Main tool: Key encumbrance 


The main mechanism by which a Dark DAO achieves its properties is key encumbrance [5I]. Key 
In the 
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case of voting, it enables a Dark DAO to ensure that delegated keys are used to cast the votes to 
which bribees have committed, but gives the Dark DAO no further control over encumbered keys. 

There are two main tools that can enforce such delegation in principle in a way that does 
not require use of a trusted third party: secure multiparty computation (MPC) and trusted 
execution environments (TEEs) [621 [6T]. 

TEEs are the more practical, particularly as we demonstrate below that existing hardware- 
based TEE systems are sufficient to realize Dark DAOs. Such TEEs enable applications to run in 
an integrity- and confidentiality-protected environment. 


with the Dark DAO policy, i.e., enforces the properties enumerated in Section B.I} In the particular 


5.3 Dark DAO goals 


Globally, the goal of a Dark DAO is to subvert voting in a target DAO. There are a number of 
ways in which it can do this, of which we enumerate several here. 


Vote buying: A briber desiring a given election outcome (e.g., a “yes” vote) can simply offer 
payments are scaled to the weight associated with 
a given bribee’s vote (e.g., proportional to her DAO token holdings). Various forms of conditional 


payment are also possible, e.g., paying bribes only if the desired outcome is achieved or offering a 


We note too that vote buying works not just for systems in which votes are weighted by token 
holdings, but also “one-vote-per-person” systems, e.g., [65] [82]. In such cases, an encumbered key 
sk might be a user’s credential in a decentralized identity system, e.g., in Gitcoin Passport or 
Worldcoin. 

A Dark DAO can further increase the threat of so-called cost-less bribery. For instance, Bó 
introduces “pivotal” bribes as a way to bribe voters at virtually no cost. Consider a binary vote 
where the final result is the option chosen by the majority of voters (for simplicity, assume an odd 
number of users n) and suppose the utility of a user for a “yes” vote is U (and for a “no” vote is 
—U). A briber, wishing to bribes the user as follows: 
(i.e., the voter is “pivotal” in the sense that the outcome 


Otherwise, if the user votes “no” (regardless of the result), a bribe of € is still paid. No bribe is 
paid if the user votes “yes.” it is always individually rational for a user 


It is easy to see now that 
to take such a regardless of the result, the user’s utility will be e larger than if the bribe 


was not taken. But this means that if all users are rational, and the bribe is offered to everyone, 


(which can be arbitrarily small). A major practical hurdle in deploying such a bribe is conducting 
is coordinating enough voters, which is made significantly easier by a Dark DAO. In essence, a 
Dark DAO can make such a “pivotal”-bribe attack extremely cheap. 
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Coordinated price manipulation: As noted in , it is possible for a Dark DAO to operate 


without an explicit party distributing bribes. A Dark ate can instead Onpesinpiepelleciye action. 
that rewards participants indirectly. 


For example, a Dark DAO can orchestrate the following steps among a cabal: (1) Purchase a 
(2) 
the price of X to drop; (3) Close the short position at a profit; and (4) Distribute profits among 
Dark DAO participants. Dark DAO goals can in principle extend beyond voting to other actions 


as well, such as or—if the Dark DAO ingests assets 
from participants 


uae samen election integrity: EEA E 


DAO opacity 
Dark DAO could 


CO c L plZe O Š Ud iJ 
impact community trust in an election. 
Alternatively, a Dark DAO could selectively reveal (and prove) statistics—e.g., participation of 


at least 10% of token holdings—that would substantiate the threat it poses. 


Exploiting quadratic voting and quadratic funding: Quadratic voting is a mechanism 
that seeks to limit the influence of whales in determining election outcomes. It weights a given 
voter’s vote as the square root of her token balance. 

Quadratic voting is only enforceable if tokens are assignable to real-world identities. For in- 
stance, if votes are weighted as the square-root of token holdings by address, a whale can boost her 
voting weight by dividing her tokens among multiple accounts. 

A Dark DAO can subvert quadratic voting even when vote is conducted using a secure decen- 
tralized identity system. That is because a Dark DAO can encumber keys not just in a way that 
enforces voting choices, but also use of digital assets. 

A whale can thus subvert a quadratic voting scheme as follows. The whale does not just bribe 


voters to vote for a particular outcome, but also temporarily deposits some of the whale’s funds 
with them. As bribees’ keys are encumbered, the Dark DAO can ensure not just that they vote as 


For example, a whale with 256 tokens can deposit 4 tokens with each of 63 distinct bribees. 
The result would be an increase in the whale’s voting weight of a factor of (V4 x 64) //256 = 8. 
A similar attack is possible against quadratic funding [24]. 


Subverting privacy pools: Privacy pools aim to strike a balance between privacy and 
accountability in privacy coins and privacy services for cryptocurrencies. 


For example, a pool might require members to prove that they are not on a sanctions list (e.g., 
from the U.S. Office for Foreign Asset Control (OFAC), a requirement for most banks [43]). Pool 
membership then implies sanctions compliance, enabling a user to provide assurance that she is 
not sanctioned, while still preserving her privacy. 

Any set of users may choose to create a pool. Membership requirements for a pool are deter- 
mined by the community making up the pool. In this sense, a pool is like a DAO. It is also subject 
to attack by a Dark DAO. 


A Dark DAO can target a privacy pool by facilitating identity-selling and thus selling of access 
to a pool. A privacy-pool member (“lender”) can sell temporary access to her pool-compliant 


For example, a user 
in a sanctions-compliant pool can sell pool access to another user who is in fact on a sanctions list. 
To do so, the seller encumbers her address so that it is subject to limited control by the buyer. 


Example: Alice holds a Dark DAO address a that is a member of sanctions-compliant privacy pool 
P. Mallory will be receiving money from an address z. Alice agrees to help Mallory launder the 
money through P. 

Alice sets the Dark DAO policy for address a so that when funds are received from z: (1) 99% 
of funds are subject to control by Mallory, i.e., Mallory can send those funds from a to any other 
desired address and (2) 1% of funds are subject to control by Alice—as payment for Mallory’s 
borrowing of a. 


Interestingly, a Dark DAO can conversely reinforce the security of a privacy pool by enforcing 


Such a policy would limit weakening or dissolution of the pool. 


6 Basic Dark DAO 


To illustrate that Dark DAOs are practical, we have implemented a Dark DAO prototype. Our 
implementation is written in what is currently the most popular smart-contract programming 
language, Solidity. Furthermore, while it uses TEEs, it demonstrates that developing a Dark DAO 
need not require any special knowledge of TEEs, thanks to the abstractions provided by the TEE- 
based Oasis Sapphire blockchain. 

Our prototype demonstrates in particular how Dark DAOs might coordinate bribery on a pop- 
ular off-chain voting platform, Snapshot [10]. To the best of our knowledge, however, all current 
DAO voting platforms are susceptible to Dark DAO interference. Our open-source implementation 
can be found at 

In what follows, we first give a background on Oasis Sapphire and Snapshot (Section fol- 
lowed by the details of our Dark DAO design (Section|6.2) and possible future design enhancements. 
We then discuss the cost of participation (Section [6.3), security (Section |6.4), deployment consider- 
ations (Section [6.5), mitigations against negative impacts of Dark DAOs (Section |6.6), and ethical 
the considerations of building a Dark DAO prototype (Section [6.7). 


6.1 Background 
Oasis Sapphire. Oasis Sapphire is an implementation of the Ethereum Virtual Machine that 


runs entirely inside a TEE. Assuming the TEE is not broken, Sapphire is able to execute smart 


storage). In addition to matching the base implementation of the EVM, Sapphire also includes 
several built-in precompiled contracts that make it both easy and cheap to perform cryptographic 
operations pertinent to Dark DAOs: generating entropy and signing messages. These methods are 
not available in blockchains that do not use TEEs or encrypted computation, since the private key 
material or entropy would necessarily be leaked to all blockchain nodes. 
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In its current state, Sapphire does not provide confidentiality for all transaction metadata: 
senders and recipients of every transaction are public. Additionally, its persistent storage lies 
outside the TEE, making contract storage access patterns a vector for information leakage [47]. In 
this paper, we do not address side channel attacks such as these. 

Sapphire is compatible with many cryptocurrency wallets today, making it a good candidate 
for hosting a key encumbrance system. 


Snapshot. Snapshot is an open source, centralized, off-chain voting platform for DAOs. Rather 
than requiring DAO users to pay the costs of making on-chain voting transactions, it accepts votes 
submitted as signed messages to the Snapshot website. The website is organized into “spaces,” 
typically one per DAO, each of which is moderated and/or controlled by a permissioned hierarchy 
of administrators and moderators of the DAO. At the time of writing, there exist over 28,000 
Snapshot spaces [10]. 

Individual DAOs are free to adjust the algorithm used to calculate the weight of an individual 
vote, termed its voting power. How much voting power a particular user gets often is determined 
by how many DAO tokens he or she is holding on a blockchain at the moment a proposal is 
created, and thus a “snapshot” of voting power is taken at the corresponding block. For a given 
DAO proposal, the signed voting messages are collected and, once the voting period is over, are 
published as receipts to IPFS [I], a distributed file sharing network. Voters can verify that their 
votes were included in the proposal’s outcome by checking their voting receipts. 

Snapshot also provides a means for delegating one’s voting power to another, presumably more 
active voter. A delegator can override his or her delegate’s vote, but would generally choose a 
delegate based on the delegate’s public reputation and likely voting profile. 


6.2 A Key-Encumbrance Dark DAO Design 
Recall the Dark DAO “guaranteed vote delivery” property (Section B.I): a Dark DAO must guar- 


antee that a bribed voter will cast a vote as specified by the briber. Many DAO voting systems, 


however, including Snapshot, Thus 


credential. At the same time, the “bounded scope” property of Dark DAOs (Section [5.1) means that 
the Dark DAO should have limited access to the voter’s credential and be able to use it exclusively 
to cast the vote for which the voter has committed to receiving a bribe. 

We resolve this tension by designing a key-encumbered wallet, which stores and manages private 
keys in smart contracts and enforces access-control policies that we refer to as encumbrance policies. 


Key-encumbered wallet. Our key-encumbered wallet application is powered by a smart con- 
tract that runs on Oasis Sapphire. The smart contract 
the keys it has generated to sign messages. To create a key-encumbered wallet, one can invoke a 


“create wallet” function in the smart contract using an external account, typically one that is not 


encumbered. We emphasize that while the aforementioned external account is the owner of the 
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calls to the wallet smart contract. These calls are signed by the owner’s external account for 


authentication. 


Dark-DAO encumbrance policy. To create our own Dark DAO based on key-encumbered 
wallets, we first designed a key encumbrance policy contract that regulates all Snapshot-related 
messages signed by an enrolled wallet, including votes for DAO proposals. The policy will not 


allow a key owner to sign a vote directly; instead, the owner must unlock the ability to do so for a 
particular proposal, after which it can sign any voting message related to that proposal. But rather 
than unlocking a proposal to sign a vote, an owner may delegate its right to vote to a sub-policy: 


. If the vote is given to a sub-policy, the owner forgoes the ability to 
This mechanism guarantees to the Dark DAO that a user 


will not change a vote that it signs on the user’s behalf. (A user could try to pre-sign a vote, but that 
would be impractical for, e.g., Snapshot, where ballots incorporate proposal hashes whose inputs 


include a timestamp, exact proposal title and bo - 
more on pre-signing. ) o participate in 


several Dark DAOs at once. 


We summarize the components of our basic Dark DAO prototype in Figure [I] in the form of 
pseudocode for each of the main functionalities. 


6.3 Dark DAO execution costs 


Claim bribe payment 85,064 0.0085064 $0.00044 
Deploy Snapshot encumbrance policy 2,543,239 0.2543239 $0.01314 
Deploy Dark DAO contract 1,690,955 0.1690955 $0.00873 


Table 1: Costs of Dark DAO transactions. 
1 ROSE = $0.05165, as of October 27, 2023. Transactions are priced at 100 Gwei, the Sapphire 
default. 


Table [1] describes the costs of the various Oasis Sapphire transactions that are necessary to 
participate in a Dark DAO. A bribee would perform the first four transactions; among those, the 
first two are the one-time costs of setting up an encumbered account, and the second two occur 
whenever a bribe is taken. The Snapshot encumbrance policy deployment is a one-time cost, 
and Dark DAO contracts would presumably all reference the same Snapshot encumbrance policy 
until API changes require an upgrade. The Dark DAO contract as written needs to be deployed 
for every DAO proposal a briber wishes to participate in, but it is straightforward to make the 
contract reusable. 
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Initialization: Set accounts := {}, bribes := |]. 


On receive keygen() from party P: 
(sk, pk) +s S.keygen() 
accounts|pk] = (sk: sk, party: P, bribeId: |,signed: Ø) 
Send pk to P. 


On receive sign(pk,m) from party P: 
ret = (sk, P*, bribeld, signed) + accounts|pk| 
assert (ret # L) A (P* =P) 
assert bribeId = | V m ¢ bribes [bribeId].M 
o = S.sign(sk, m) 
accounts|pk].signed.add(m) 
Send ø to P. 


On receive registerBribe(bribeAmount, M) from party B along with T tokens: 
bribeId + len(bribes) + 1 
bribes|bribeId] = (bribeAmount, T, M, B). 
Send bribeld to B. 


On receive takeBribe(pk, bribeID) from party P: 
assert accounts|pk|.party = P 
(bribeAmount, T, M, B) + bribes|bribeld]. 
assert accounts|pk].bribeId = L A accounts|pk].signea N M = Ý A T > bribeAmount 
accounts|pk].bribeId = bribeId 
bribes|bribeld].T -= bribeAmount 
Send T tokens to P. 


On receive signViaEncumberedKey (pk, m, bribeID) from party B: 
bribe = (bribeAmount, M, B*) + bribes [accounts [pk] . bribelId] 
assert (bribe 4 L) A (B* = B) Ame M 
o = S.sign(sk, m) 
accounts|pk].signed.add(m) 

Send o to B. 


Figure 1: Key encumbrance and Dark DAO pseudocode 


6.4 Security 


We consider an idealized model of Oasis Sapphire’s trusted execution environment [69], treating 
side-channel issues and platform-level deployment mistakes (see, e.g., [47]) as out of scope 
for our exploration in this paper. We also assume the integrity, i.e., correct execution, and liveness 
of Sapphire. Communications with Oasis Sapphire can in principle be observed by a network 
adversary. The system supports secure channels to application instances, however, and we exclude 
consideration of side channels resulting from, e.g., analysis correlating Oasis Sapphire traffic with 
on-chain behavior. (Such side channels can be mitigated through injection of noise, e.g., randomized 
delays.) 

Informally, in this model, the Basic Dark DAO we have described achieves confidentiality (i.e., 
“opacity” ) as follows. An adversary—an entity seeking to probe the Dark DAO, e.g., on behalf of 
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the target DAO—can mount an active attack against the Dark DAO, posing as a briber and as a 
set of vote-sellers. Such an adversary can learn two forms of information. 

First, to the extent that it registers bribes, the adversary learns information about voters that 
accept these bribes. The adversary learns two things about these voters: (1) The number of votes 
they are selling and (2) Their on-chain addresses. We stress that the adversary learns (1) only for 
votes it purchases, but those votes no longer then pose a threat to the target DAO. Here, (2) arises 
in a model where the adversary submits the votes it has obtained via bribery. There are three 
reasons why (2) is probably of limited practical concern: 


1. Token fungibility: If an adversary buys votes from some set of addresses, the adversary 
controls those votes for a given election. Those addresses might be blacklisted from future 
participation in the target DAO. But since tokens are fungible, they could simply be sent to 
new addresses, greatly complicating potential blacklisting policies. 


2. Cost of acquisition: Buying votes to learn associated addresses—and of course control their 
votes—is a costly strategy. It also creates a perverse incentive. It actually encourages the 
creation of Dark DAOs, as the adversary is subsidizing bribes. 


3. Private voting: Votes could in principle retain confidentiality during submission, rather than 
be obtained in cleartext by a briber. A TEE could, for instance, perform submission to a 
website (e.g., Snapshot). Although Oasis Sapphire does not directly support TLS traffic and 
thus would not enable straightforward implementation of this functionality, other TEE-based 
systems can in principle play this role, e.g., [84]. 


The second form of information available to the adversary is the size of bribes registered by 
(other) bribers—which are published to signal the opportunity to vote sellers. Published bribes 
only represent an upper bound on Dark DAO activity, however. 

In summary, at the application layer, the only feasible way for an adversary to impact the 
behavior of the Dark DAO through active attack is by buying votes. Additionally, the Dark DAO 
to the best of our knowledge presents no application-layer denial-of-service attack vectors. 


6.5 Deployment Considerations 


Pre-signing attacks. Key-encumbered wallet owners can sign an unlimited number of messages 
prior to enrolling in an encumbrance policy. This creates an opportunity for wallet owners to pre- 
sign messages they predict will be encumbered by a policy in the future and defeat the encumbrance 
scheme. For example, if a wallet owner is about to enroll in an encumbrance policy that restricts 
its ability to sign a message saying “vote for Alice,” the owner could just pre-sign this message 
before enrolling in the policy. Therefore, 


inputs, e.g., Snapshot proposal hashes. 
previous message breached the encumbrance assumptions of the policy. However, to assess whether 
a type of message has ever been signed requires each message to be recorded on the same blockchain 
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Often, these schemes can be combined to produce workable encumbrance policies that would 
otherwise require enrollment from the moment of wallet creation. If an encumbrance policy can 


anchor relevant message characteristics to a specific timestamp (e.g., a DAO proposal’s hash to its 
creation timestamp), it can distinguish whether a particular message could have been signed before 


the encumbered wallet was enrolled in the policy. All the messages whose timestamps are earlier 


Campaigns. Rather than selling votes for a given election, a Dark DAO can orchestrate a bribery 


This might be an 
election outcome, or the outcome of multiple elections. But a campaign may target any of a range 
of outcomes reflected in blockchain state—e.g., successful installation of a particular user in a 
privileged role (e.g., membership in a DAO committee responsible for disbursing funds). Any of a 
range of bribery policies are also possible, e.g., rewards for recruiting fresh Dark DAO participants. 


6.6 Mitigation: Complete Knowledge 


An application can prevent access to accounts created by a key encumbrance system by requiring, 
a proof of complete knowledge to be demonstrated for each public key requesting access [51]. Such 


shown, in totality, to an eavesdropper. > ae 
are naturally forbidden from creating valid proofs of complete knowledge. Lightweight proofs of 


complete knowledge via mobile device TEEs may soon be practical if signature verification of the 
relevant curves becomes cheap, such as through implementation of EIP-7212 [37]. 


6.7 Ethical Considerations 


We have open-sourced the code of our key encumbered wallet and message-based Dark DAO con- 
tracts. We have chosen to do this because, given the current risks of participation in Dark DAOs, the 


precondition for Dark DAOs to be effective. We feel it is important to have a clear demonstration 


of the practicality of Dark DAOs so that the community can understand the contours of the risk 
in the long term and consider effective countermeasures. 

Additionally, our code has beneficial use cases, which we will show in future work. For exam- 
ple, a confidential DAO whose treasury funds are themselves encumbered inside the wallets of its 
participants would have sidestepped some of the shortcomings of the Constitution DAO [77], whose 
public fundraising appears to have facilitated it being outbid in a silent auction. 


7 Dark DAO Lite 


Although our Dark DAO prototype demonstrates that Dark DAOs are practical to build, partic- 


ipating in the Dark DAO as a bribee is not straightforward. The requirements of setting up an 


30 


To alleviate these usability issues and further emphasize the versatility of key encumbrance, we 
have created a second Dark DAO system that we call a Dark DAO “Lite”. Our Dark DAO Lite 
scheme involves a trade-off: It achieves greater usability than our basic Dark DAO, but weaker 

(Thus our use of the term “lite.” ) 

The key idea behind the Dark DAO Lite is its use of a DAO-token derivative to hide the 
complexity of participation. We call this derivative, which is itself a token, a Dark-DAO token or 
DD token for short. 

DD tokens in a Dark DAO Lite are derived from ordinary tokens in a target DAO through 
a conversion process. The key steps of this process, which we explain in detail further below, 
are summarized in Figure P] A Dark DAO Lite itself, like a basic Dark DAO, is a smart contract 
running on Oasis Sapphire and benefits from that chain’s confidentiality properties. Its functionality 
is described in Figure [4] DD tokens, however, are 
such as Uniswap. Converting between the target DAO 


token and the non-voting derivative DD tokens requires technical knowledge, but need only be done 
once by a small set of actors—who can obtain remuneration through DD token markets. Once DD 
tokens are created, no sophistication is required to manage them. 


DD tokens realize a concept that we refer to as DAO-token fractionalization. 


DAO-token fractionalization. DAO tokens grant two capabilities to their owner: ( 1) the ability 


to sign votes on proposals and (2) ownership ri i ili 
the tokens to a different address. Key-encum ncumbra. enable a 


separation of these two capabilities by creating two paths of access control to a single private key 
controlling the tokens of a target DAO. This fractionalization yields two distinct resources: 


e Voting rights corresponding to converted target-DAO tokens. 


We refer to the pool of voting rights as self-auctioning, since the auction process is automated 
and requires no intervention by DD-token holders. 


e DD tokens, which may be individually owned and correspond to ownership rights in the target 
DAO plus the right to receive revenue from the auctioning of the pool of fractionalized voting 
rights. 


In the remainder of this section, we explain how the various parts of a Dark DAO Lite work 
(Section [7.1) and its security properties (Section [7.2). In what follows, unless otherwise specified, 
we use the term Dark DAO to refer to a Dark DAO Lite. 


7.1 Dark-DAO Lite functionality 
Converting target-DAO tokens to DD tokens. Before authorizing the creation of new DD 


tokens, the Dark DAO needs to gain control over target-DAO tokens. This is accomplished by 
having the target-DAO tokens sent to a freshly generated Ethereum account under the Dark DAO’s 
control. 
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Figure 2: Transaction flow for converting DAO tokens to DD tokens. The Dark DAO contract, 
denoted in red, is on Oasis, while the rest is on Ethereum. The accounts at the bottom are 
encumbered, under the control of the Dark DAO contract; each deposit is sent to a fresh 
encumbered account. 


DD Token, extending ERC-20 
Initialize(pk): DDpk := pk, supply := 0, authNonces := {} 


On receive mint(m = (T, nonce), a) from party P: 
assert S.ver(DDpk, m, o) 
assert nonce ¢ authNonces|P] 
supply < supply + T 
authNonces|P].add(nonce) 
Send T tokens to P 


On receive burn() from party P along with T DD-tokens: 
supply < supply — T 


Figure 3: DD token pseudocode 


generated 
The reason for creating a fresh address for each deposit is confidentiality of these addresses. 


Because the generation process happens off chain, there is no public indication that A is controlled 


the Dark DAO to 
hew BOA (externally owned account). 

After the user transfers target-DAO tokens to A, the user submits a state proof of A’s target- 
DAO token balance to the Dark DAO contract, along with the ciphertext C. The Dark DAO 


contract checks the proof which begins an optional lockup period on the tokens. (See Section 
for details.) After the lockup period is complete, the user can query it to receive a signed message 


A useri can then send this 
signed message to the DD token contract to mint the DD tokens, as shown in Figure [B] The mint 
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Dark DAO Lite 


function initialize(header) : 
eth_block_header := header // updated by an oracle or by piggybacking on proofs 
encumbered_accounts := {} 
dark_dao_sk, dark_dao_pk +s S.keygen() 
balances := {} 
registered_proofs := {} 
return dark_dao_pk 


function get_deposit_address() : 
sk, pk +s S.keygen() 
encrypted_key +s dark_dao_sk.encrypt (sk) 
return pk, encrypted_key 


function deposit_and_mint(z, recipient) : 
assert m ¢ registered_proofs 
assert verify_deposit_proof(eth_block_header, 7) 


encumbered_accounts. insert(.pk, dark_dao_sk.decrypt(m.encrypted_key)) 
balances|7.pk] := balances[7.pk] + 7.amount 

registered_proofs.insert(7) 

message.amount := 77.amount 

message.recipient := 7.recipient 

return message, dark_dao_sk.sign(message) 


function redeem_and_withdraw(7, recipient) : 

assert m ¢ registered_proofs 

assert verify_burn_proof(eth_block_header, 7) 

registered_proofs.insert(7) 

accounts, amounts := select_withdrawal_accounts(encumbered_accounts, balances, 7.amount) 

signed_transactions := {} 

for account, amount € accounts, amounts 
signed_transactions.insert(account.sk.sign(transfer_from(account.pk, amount, recipient))) 
balances[account.pk] := balances[account.pk] — amount 

return signed_transactions 


Figure 4: Pseudocode for Dark DAO Lite smart contract on Oasis 


operation need not happen immediately; the user could presumably wait until the DD tokens need 
to be transferred or sold. 


The use of state proofs serves as a bridge between Ethereum and Oasis. We assume a trusted 
source of block hashes for this purpose. The “Oasis Privacy Layer,” which uses the Celer Network 


as a bridge system under the hood, is the existing bridge from Oasis Sapphire to any supported 
EVM network. 


Redeeming DD tokens for target-DAO tokens. The conversion process may be reversed: 


DD tokens can be redeemed for their underlying target-DAO tokens. A user holding DD tokens 
first issues a burn transaction of n tokens to the DD token contract, which removes the n DD tokens 
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from circulation and records a receipt of the burn to persistent storage. The user then submits a 
state proof of the burn receipt to the Dark DAO contract on Oasis, which in return sends back a 
proportional amount of bribe money and authorizes the user to submit off-chain withdrawal requests 
to the Dark DAO contract. The Dark DAO responds to these requests with a signed Ethereum 
transaction which transfers up to n target-DAO tokens from a Dark DAO controlled account to the 
user. It is the user’s responsibility to include this transaction on the Ethereum mainnet. Note that 
DD tokens must be fungible and liquid, or else they would not be easily tradable; therefore, the 
Dark DAO contract must be able to handle partial withdrawals from its accounts. A withdrawal 
that is greater than the current withdrawal account’s balance would require multiple withdrawal 
transactions. 

On Ethereum, transactions are ordered by sender according to increasing transaction nonce: 
the first transaction by a particular sender must be signed with nonce 0, the second with nonce 1, 
and so on. Target-DAO token transfers out of Dark DAO accounts are also transactions and must 
be included in increasing nonce order. To prevent users who fail to include their transactions on 
the Ethereum mainnet from blocking other target-DAO token withdrawals, everyone who is ready 
to withdraw is issued a signed transaction from the same Dark DAO account and with the same 
nonce. The first withdrawal transaction to be included in an Ethereum block “wins,” and the other 
competing transactions with the same nonce and sender are automatically invalidated at no cost, 
per Ethereum’s rules. To allow the next withdrawal to process, a user can show a Merkle proof 
of transaction inclusion in an Ethereum block, which simultaneously increments the nonce of the 
Dark DAO account (or chooses a new withdrawal account) and marks the included withdrawal as 
completed. 

Ethereum transactions need to be funded before they are included, so to pay for the target-DAO 
token transfer, some ETH must be sent to the Dark DAO account in an earlier transaction. We ex- 
pect withdrawers will use Flashbots bundles to execute the funding and token transfer transactions 
atomically and to prevent other withdrawals from backrunning their funding transactions. 


DD tokens. As we have explained, DD tokens are the primary financial instrument of a Dark 
DAO Lite, issued when deposits of target DAO tokens are made to Dark DAO accounts. They can 
later be redeemed for the underlying target DAO tokens plus any accumulated bribes on the voting 
rights to the encumbered target DAO tokens. The Dark DAO smart contract on Oasis acts as the 
primary controller of all participating encumbered Ethereum accounts and is itself an encumbrance 
policy. 

We emphasize that users with DD tokens cannot vote in the target DAO with them; this voting 
ability is in the Dark DAO’s self-auctioning pool. Rather, users with DD tokens hold a claim 
to ownership in the target DAO plus a proportional fraction of the bribe revenue the Dark DAO 
creates from selling its votes. In short, 1 DD token is equivalent to the ownership rights of 1 target 
DAO token plus fractional bribe revenue. 


Voting-rights auctioning. We assume that the target DAO utilizes a message-based, off-chain 
voting system with voting power assigned to accounts based on their DAO token balances, though 
the Dark DAO contract could be adapted for other voting schemes. 

When a target-DAO proposal is published, the proposal hash is made public. Bribers who wish 
to purchase the Dark DAO’s voting power for the proposal can start an auction for that proposal 
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We implemented a first-price auction in our implementation, but other auction types could be 
substituted. All auctions have a fixed duration and must end before the proposal expires, 

from all of the Dark DAO accounts. Bidders could bid on a hash that does not correspond to a 
proposal, so as implemented, any auction winner can enumerate Dark DAO accounts by reading 
the vote signatures. In Section [7.2] we briefly discuss an alternative, privacy-preserving approach. 


How the DD-token market works. As conversion of target-DAO tokens to DD tokens requires 
a (small) degree of technical knowledge, including interaction with the Oasis Sapphire chain, our 


ex on is that 
=e As ordinary ERC-20 tokens, DD tokens may be sold in either decentralized or centralized 
exchanges. The value of generating DD tokens—and thus revenue for arbitrageurs—may be priced 
into the market value of DD tokens. 

Whether a given user P prefers to hold target-DAO tokens or DD tokens depends upon the 
value to the user of voting, which is related utilp(£, true) for a set of elections F over which the 
user intends to hold DD tokens. Given high utility, i.e., a particular desired outcome, a user may 
prefer to vote and thus hold target-DAO tokens. Many users, however, are apathetic (as discussed 
in Section B.3) and would derive higher utility instead from holding DD tokens. The technical 
requirements and user experience for holding the two types of token are identical. 

We emphasize that DD tokens may be redeemed for target-DAO tokens. Hence the fair market 
price of DD tokens should be at least that of target-DAO tokens minus the transaction cost for 


Aside from making Dark DAOs more practical, our DD-token scheme demonstrates a concept 
of broad interest: key encumbrance enables new financial assets with sophisticated policies to be 
created from the restructuring of existing ones. While use of TEEs to realize this concept has been 


previously explored [59] [70], our work is the first instance of which we’re aware in which such assets 
are realized as decentralized-finance tokens. 


Execution costs. Table] outlines the transaction costs of creating and participating in a Dark 
DAO Lite. 


7.2 Security 


We assume the same security model as in Section [6.4] A Dark DAO Lite, as noted above, achieves 


(Although its integrity and DoS properties are the 
same.) 


The main reason the Dark DAO Lite does not achieve the same strong confidentiality as the 
basic Dark DAO is the liquidity of DD tokens. Recall that when deposited, target-DAO tokens are 
transferred to a Dark-DAO-generated address that is indistinguishable on chain from an ordinary 


“In our implementation, bids are made in Oasis’s native token, ROSE. Over time, the DD token will have increased 


exposure to this other asset. To remedy this, the Dark DAO contract can sell its proceeds periodically for the target- 
DAO token. 
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Deploy DD token contract (one-time cost) 


Deploy Dark DAO contracts (one-time cost) 


Table 2: Costs of Dark DAO Lite transactions. 
1 ETH = $1,782.22, as of October 27, 2023. Ethereum transactions are priced at 13.5 Gwei, the 
60-day average ending on October 26, 2023. 
1 ROSE = $0.05165, as of October 27, 2023. Oasis transactions are priced at 100 Gwei, the 
Sapphire default. 


EOA. When DD tokens are redeemed for target-DAO tokens, however, the address in which they 
are held is revealed to the redeeming player to be part of the Dark DAO. Furthermore, the liquidity 


For example, suppose that players only deposit one token at a time and that redemptions are 
LIFO (last in, first out). An adversary A can deposit a token and wait until another player P; 
deposits a token. A then withdraws its token, revealing P,’s deposit address, and then redeposits 


its token. A can do the same when P deposits a token, and so forth. In principle, by withdrawing 
where t is at least as large as other players’ 


deposits over any interval of length A, 


A can identify all deposit addresses. 
Such discovery of deposit addresses through strategic redemption is somewhat costly in practice, 
because it incurs transaction costs. Our current Dark DAO Lite implementation in fact uses 
FIFO scheduling. It is possible to impede adversarial address-discovery strategies against FIFO by 
imposing a lockup period on deposited tokens. The effect of this practice is to raise the adversary’s 
capital requirements, i.e., require the adversary to control a large number tokens. Other approaches 
might be more effective and their exploration constitutes an interesting research challenge. 

An additional form of information leakage in a Dark DAO Lite arises because the circulating 
The quantity of these tokens SpegHres corresponds to the size 
of the available pool of votes available for purchase in the Dark DAO. (It is possible in principle to 
enhance a Dark DAO Lite to mint fake DD tokens, a potential future enhancement.) Furthermore, 


on-chain transaction analysis may leak futher information. For example, the timing of target-DAO 
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8 Summary Guidance for DAOs 


Our VBE framework and the implications we show in Section [B] suggest a number of forms of 
concrete guidance for DAOs seeking to enforce or improve meaningful decentralization. We discuss 


them in this section. We summarize our guidance for practitioners in Table 


Topic 


1. Vote delegation 


2. Voting privacy 


3. Voter bribery 


4. Dark DAO risks 


5. Dark DAO feasi- 
bility 


General Guidance 


Given a large inactivity whale, 
vote delegation tends to in- 
crease decentralization. 


Voting privacy increases de- 
centralization. 
The scale of bribery increases 


with decentralization. 


Dark DAO risks are likely 
to increase with decentraliza- 
tion. 


Dark DAOs are feasible today. 


Reason 


Delegation (counterintuitively) in- 
creases decentralization by diversi- 
fying tokens away from a big inac- 
tivity whale. 


Private voting eases herding, whose 
effects are centralizing. 


Low alignment of utility functions 
means systemic coordination is re- 
quired to impose alignment. 


As bribery coordination costs grow, 
Dark DAOs become a more com- 
pelling approach to influencing vote 
outcomes. 


We have shown that existing tools 
enable effective Dark-DAO deploy- 
ment. Technical feasibility is un- 
likely to prove a barrier to their use 
by adversaries. Complete Knowl- 
edge (CK) for voter keys may be a 
useful countermeasure. 


Relevant result 


Thm. 

Thm. 

Thms. BA B8 
and 

Inference from 
Thm. B.8] and B9] 
Sections [6] and 


proposal bundling 


(like protocol upgrades that 
include many voting issues in 
one package) decreases decen- 
tralization. 


otherwise heterogeneous utility 
functions and/or induce apathy by 


smoothing out utility functions. 


6. Identity verifica- | Weak identity verification | A whale that can spread tokens | Analysis in Sec- 

tion increases centralization in | across identities amplifies its voting | tions B.8] and 5.3] 
quadratic voting. power. 

7. Voting slates / | Bundling choices into slates | Bundled choices artificially align | Thm. [B.6] 


8. Data collection 


Careful voting-statistic collec- 
tion facilitates decentraliza- 
tion measurement. 


Lack of systematic collection and 
publication of detailed voting statis- 
tics makes decentralization mea- 
surement challenging today. 


Discussion in Sec- 


tion 


Table 3: Guidance implied by this paper’s results regarding DAO decentralization. 


Apathy / inactivity whale and delegation: As we show in Section [B.3] token holders who do 
not vote—those, in a rational model, with near-zero utility functions—have a centralizing effect. 
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Recall that our term for this group is the inactivity whale. 

One way to diminish the size of the inactivity whale is through delegation. Intuitively, if 
tokens associated with the inactivity whale are distributed between at least two delegatees in 
distinct clusters, then they come to represent distinct utility functions——and thus contribute to 
decentralization. 

We show in Section that when the inactivity whale is large—with respect to delegatees— 
delegation increases decentralization. (Otherwise, delegation may or may not have this effect.) 


Herding / voting privacy: There is anecdotal evidence suggesting that social pressure causes 
herding—specifically that voters align themselves with whales or voting blocs [72]. We may view 
the effect as a shift in utility function. As we show in Section [8.5] this shift has a centralizing effect. 

Herding arises because votes are publicly visible. Voting privacy in principle alleviates such 
pressure and therefore has a decentralizing effect. 

Snapshot, a popular platform for DAO voting, has recently implemented a form of privacy 
called shielded voting {73].This form of privacy, however, is only ephemeral: Votes are private when 
submitted, but revealed at the end of the vote-casting period. So it is unclear that it can fully 
address the centralizing effects of herding. 

End-to-end verifiable voting systems have been proposed in the literature for decades that 
achieve both voting integrity and confidentiality [12]. How to implemented them with token-based 
weighting is, to the best of our knowledge, though, an open problem. 


Voter bribery: Our work shows a relationship between centralization and bribery. In general, 
bribery causes an increase in centralization, as it has the effect of aligning the utility functions of 
other players with those of the briber, as we show in Section 

We also show that as decentralization increases, bribery cost increases. Roughly speaking, 
increasing diversity in utility functions means increasing cost to align them. 

DAOs today are largely centralized [76]. Bribery may not be especially useful, 
as whales generally exert strong control and require relatively little coordination to align utility 
functions into a favorable voting bloc. Voter bribery, however, is a problem in many settings, both 
in political voting and in corporate governance (see, e.g., [71]). 

One implication of our results is that as DAO decentralization increases, in order for bribery to 
succeed, it will need to be systemic. DAO designers should therefore recognize large-scale bribery 
as a future risk. 


Dark DAO risks: We hypothesize that the most technically feasible way to implement large-scale 
bribery is through a Dark DAO. 

We have presented in Section [6]the first fully functional private Dark DAO capable of subverting 
votes on Ethereum. Our architecture leverages the privacy assurances of TEEs in Oasis, but bridges 
to Ethereum, where most DAOs operate. Our results show that Dark DAOs are technically feasible 
(and incur low transaction costs) and thus represent a viable future threat. 

Dark DAOs pose not just a technical threat, but also a psychological one. The mere existence 
of a Dark DAO may create a perception of vote-manipulation even if the Dark DAO has minimal 
impact. Moreover, Dark DAOs can be used not just for direct bribery but also for more subtle 
attacks. They can, for instance, subvert quadratic voting schemes even when such schemes rely on 
well-functioning decentralized identity systems. 
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One possible countermeasure DAO designers may ultimately wish to consider is requiring voting 
participants to execute complete-knowledge (CK) proofs on their keys [51]. 


Voting slates / bundling proposals: A common trick for passing pieces of legislation that are 
unpopular or have a narrow base of support is to bundle them together in large, bills. Earmarks 
are a prime example [14]. 

This practice may be regarded as a form of utility-function “smoothing”: The utility function 
of the bill as a whole (for the legislators voting on it) differs from that of its components. 

As the practice of bundling proposals / measures has the goal of aligning utility functions, from 
the standpoint of VBE, it generally has a centralizing effect, as we show in Section DAOs 
may therefore wish to consider limiting the practice and instead explore way§to unbundle multi- 
component proposals. 


Data collection: There is no practical way to compute VBE directly—-since players’ typically do 
not express their utility functions. As we discuss in Section [4] however, there are ways to estimate 
it for a DAO based on voting history. We have found it challenging to collect full voting histories for 
even popular DAOs. A recommendation for the commynity is to establish and adhere to standards 
for archival preservation of DAO voting data. A few 


o 


9 Related Work 


DAOs: Research literature on DAOs has been limited to date, but fairly broad. It has included 
measurement studies [72], retrospectives on the failure of The DAO (e.g., [36]) and ways of 
addressing related technical flaws in smart contracts such as dangerous reentrancy (e.g., [28]), 
DAO mechanism design (e.g., [16]), and exploration of DAOs from the standpoint of legal theory 
(e.g., [46] [79]) and economics and governance (e.g., ); 

Works exploring measurement of DAOs’ degree of decentralization most notably include Fe- 
ichtinger et al. [B9],who explore Gini and Nakamoto indices, as well as participation rates and the 
monetary cost of governance, Sharma et al. [72], who consider various notions of entropy, as well 
as participation rates and graph-based measures of decentralization, and [83], which taxonomizes 
DAOs by comparison with other autonomous systems. Sun et al. use clustering to identify voting 
blocs in a study of MakerDAO [75]. Also of note is the informal notion of “credible neutrality,” a 
community standard articulated in, e.g., [21]. 


Social choice and voting theory: A long line of work on social choice and voting theory 
investigates how best to aggregate preferences of individual voters—the same functionality that 
DAOs seek to provide in the decentralized setting. There are some major differences in the DAO 
setting however, which may reduce how effective existing techniques will be. For instance, the 
permissionless nature of DAOs allows for the presence of Sybils which is not typically accounted 
for in existing voting theory literature. Further, while the threat of large-scale voter bribery is 
typically safe to ignore in glassical voting, both due to the high likelihood of detecting such an 
attack, as well as the YpChallenge in coordinating the attack itself, as shown in our paper, Dark 
DAOs invalidate these prior assumptions in the DAO setting. 
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Still, we believe that DAOs can provide an excellent practical battleground for experimenting 
with different social choice and voting techniques in the real world. 


Vote-buying / coercion: There is a considerable literature on the notion of coercion-resistance 
in end-to-end verifiable voting [49] [54|. Broadly speaking, coercion-resistance means that a 
voter cannot convince a would-be briber or coercer cy how she voted. Influential proposed coercion- 
resistant voting systems include notably Civitas [30] and, more recently, MACI [20]. None of these 


ees designs contemplate the risk 
em. 


Unauthorized credential delegation: Daian et al. put forth the notion of a Dark DAO—a 
DAO that aims to subvert voting in other DAOs—in [33]. In related work, Matetic et al. propose 
use of TEEs as a tool for secure credential delegation—which may be unauthorized [59], and Puddu 
et al. explore malicious uses, including subversion of e-voting [70]. 


10 Conclusion and Open Research Questions 


We have proposed Voting-Bloc Entropy (VBE) as a new metric for DAO decentralization. VBE 
measures the entropy of voting blocs. It is in fact a framework into which it is possible to plug any 
desired method of clustering to identify blocs and any notion of entropy. 

Evaluating VBE—instantiated with €- -threshol @dinal clustering and min-entropy—we have 
proven a number of results that hed light how a number of practices may impact DAO 
decentralization. We have also shown both in theory and through implementation of a practical 
system how Dark DAOs pose a potential long-term threat. 

Our work gives rise to a number of open research questions. A few deserve particular mention: 


e Privacy: Our results suggest the potential decentralizing effects of ballot secrecy, i.e., pri- 
vate voting. Existing verifiable end-to-end voting systems implement a one-vote-per-person 
policy [12]. One open research question is whether token-weighted variants are possible. Ad- 
ditionally, we emphasize in our work the importance of collecting voting data to facilitate VBE 
estimates. How to harmonize these opposing goals represents a second research challenge. 


e Forking and escape hatches: DAOs may suffer catastrophic failures, as was famously the 
case with The DAO [40]. Proposed remedies including forking / splitting, in which a new, 
quasi-independent or independent DAO is created and escape hatches, which are committee- 
controlled shutdowns |38]. How their existence and use impact decentralization are unclear 
and deserves study. 


e VBE impact: VBE is designed to formalize a view of decentralization in DAOs reflected in 
the literature and in the views of practitioners. A natural question is what impact high VBE 
has on decision making in DAOs. 
and financial outcomes in DAOs? How does it relate to notions of democratic participation 
in non-blockchain settings? 
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